In response to user feedback, we have made it possible for PAW users to install their own software as needed for their work. Users no longer need to work through the Information Security Office (ISO) to get software deployed to PAWs. The self-service software installation process described here enables users to control the software load on their PAWs.
Please note: It is still important to follow the PAW usage guidelines when installing software. See How to Use a Privileged Access Workstation (PAW) for guidelines on suggested and prohibited activities. See the Software not to install section on this page for a list of software that should be installed only on untrusted workstations, never on PAWs.
How to install software
PAWs are protected by Carbon Black Protection in High Enforcement mode. This prevents unapproved binaries from executing. To install software and have it work properly, you must move the PAW into Local Approval Mode before installing software.
- Open the BigFix client user interface from the Windows system tray or the Mac menu bar.
- Select the [PAW] Move Machine to Local Approval Mode offer from the software offer list and click Accept. The BigFix client UI will present a notification that the action is complete, but this means that your request is in, not that the machine has entered local approval mode.
- Wait for a pop-up notification informing you that the system has entered Local Approval Mode. This can take a few minutes to appear.
- Perform your software installations and upgrades.
- Important: Move the machine back to High Enforcement by repeating the above instructions but using the [PAW] Restore Machine to High Enforcement Level offer.
- A pop-up notification will appear to inform you that the system has been restored to Full Enforcement.
Software not to install
The following software packages and classes of software are not approved for use on PAWs and should not be used. Run these in your normal untrusted compute environment.
- Microsoft Office and other Office-type suites
- Instant Messaging
- Email clients (Thunderbird, Outlook, etc)